Fix tests to match session-based architecture

Fixed critical test failures identified by Gemini code review:

1. **executiontoken tests**: Updated all Generate() calls to use new
   session-based signature Generate(sessionID) instead of old token-based
   signature with userEmail, executionID, targetService, etc. Updated
   Claims validation to only check SessionID and IssuedAt fields.

2. **path_matcher tests**: Fixed TestPathMatcherNoPatterns to expect
   fail-closed behavior (deny when no patterns) instead of fail-open
   (allow when no patterns). This matches the security fix in path_matcher.go.

3. **integration tests**: Updated to use /api/execution-session endpoint
   instead of /api/execution-token. Updated request structure to include
   max_ttl_seconds and idle_timeout_seconds. Updated ExecutionTokenResponse
   to include all new session fields (session_id, idle_timeout, max_ttl, etc).

All tests now match the session-based architecture implemented in the
execution proxy.

Author: claude

integration/execution_proxy_test.go

@@ -248,16 +248,17 @@ func TestExecutionProxyPathRestrictions(t *testing.T) {
 	oauthToken := performOAuthFlow(t)
 	connectUserToService(t, "datadog", oauthToken)
 
-	// Request execution token with specific allowed paths
-	t.Log("Requesting execution token with path restrictions...")
+	// Create execution session with specific allowed paths
+	t.Log("Creating execution session with path restrictions...")
 	reqBody, _ := json.Marshal(map[string]any{
-		"execution_id":   "exec-path-test",
-		"target_service": "datadog",
-		"ttl_seconds":    300,
-		"allowed_paths":  []string{"/api/v1/metrics"},
+		"execution_id":         "exec-path-test",
+		"target_service":       "datadog",
+		"max_ttl_seconds":      300,
+		"idle_timeout_seconds": 30,
+		"allowed_paths":        []string{"/api/v1/metrics"},
 	})
 
-	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-token", bytes.NewReader(reqBody))
+	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-session", bytes.NewReader(reqBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+oauthToken)
 
@@ -324,15 +325,16 @@ func TestExecutionProxyTokenExpiration(t *testing.T) {
 	oauthToken := performOAuthFlow(t)
 	connectUserToService(t, "datadog", oauthToken)
 
-	// Request execution token with very short TTL (2 seconds)
-	t.Log("Requesting execution token with 2-second TTL...")
+	// Create execution session with very short idle timeout (2 seconds)
+	t.Log("Creating execution session with 2-second idle timeout...")
 	reqBody, _ := json.Marshal(map[string]any{
-		"execution_id":   "exec-expiry-test",
-		"target_service": "datadog",
-		"ttl_seconds":    2,
+		"execution_id":         "exec-expiry-test",
+		"target_service":       "datadog",
+		"max_ttl_seconds":      300,
+		"idle_timeout_seconds": 2,
 	})
 
-	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-token", bytes.NewReader(reqBody))
+	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-session", bytes.NewReader(reqBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+oauthToken)
 
@@ -424,11 +426,15 @@ func TestExecutionProxyServiceIsolation(t *testing.T) {
 
 // Helper functions
 
-// ExecutionTokenResponse represents the response from token issuance
+// ExecutionTokenResponse represents the response from session creation
 type ExecutionTokenResponse struct {
-	Token     string    `json:"token"`
-	ProxyURL  string    `json:"proxy_url"`
-	ExpiresAt time.Time `json:"expires_at"`
+	SessionID       string    `json:"session_id"`
+	Token           string    `json:"token"`
+	ProxyURL        string    `json:"proxy_url"`
+	IdleTimeout     int       `json:"idle_timeout"`
+	MaxTTL          int       `json:"max_ttl"`
+	ExpiresAt       time.Time `json:"expires_at"`
+	MaxTTLExpiresAt time.Time `json:"max_ttl_expires_at"`
 }
 
 // performOAuthFlow simulates the OAuth flow and returns an OAuth token
@@ -504,29 +510,30 @@ func connectUserToService(t *testing.T, serviceName, oauthToken string) {
 	callbackResp.Body.Close()
 }
 
-// requestExecutionToken requests an execution token
+// requestExecutionToken creates an execution session and returns the response
 func requestExecutionToken(t *testing.T, oauthToken, serviceName, executionID string) ExecutionTokenResponse {
 	t.Helper()
 
 	reqBody, _ := json.Marshal(map[string]any{
-		"execution_id":   executionID,
-		"target_service": serviceName,
-		"ttl_seconds":    300,
+		"execution_id":         executionID,
+		"target_service":       serviceName,
+		"max_ttl_seconds":      300,
+		"idle_timeout_seconds": 30,
 	})
 
-	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-token", bytes.NewReader(reqBody))
+	req, _ := http.NewRequest("POST", "http://localhost:8080/api/execution-session", bytes.NewReader(reqBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "Bearer "+oauthToken)
 
 	resp, err := http.DefaultClient.Do(req)
-	require.NoError(t, err, "Failed to request execution token")
+	require.NoError(t, err, "Failed to create execution session")
 	defer resp.Body.Close()
 
-	require.Equal(t, 200, resp.StatusCode, "Token request should succeed")
+	require.Equal(t, 200, resp.StatusCode, "Session creation should succeed")
 
 	var tokenResp ExecutionTokenResponse
 	err = json.NewDecoder(resp.Body).Decode(&tokenResp)
-	require.NoError(t, err, "Failed to decode token response")
+	require.NoError(t, err, "Failed to decode session response")
 
 	return tokenResp
 }

internal/executiontoken/token_test.go

@@ -12,13 +12,8 @@ func TestTokenGenerationAndValidation(t *testing.T) {
 	generator := NewGenerator(signingKey, ttl)
 	validator := NewValidator(signingKey, ttl)
 
-	token, err := generator.Generate(
-		"user@example.com",
-		"exec-123",
-		"datadog",
-		[]string{"/api/v1/*", "/api/v2/metrics/*"},
-		1000,
-	)
+	sessionID := "sess_abc123"
+	token, err := generator.Generate(sessionID)
 	if err != nil {
 		t.Fatalf("Failed to generate token: %v", err)
 	}
@@ -32,20 +27,16 @@ func TestTokenGenerationAndValidation(t *testing.T) {
 		t.Fatalf("Failed to validate token: %v", err)
 	}
 
-	if claims.UserEmail != "user@example.com" {
-		t.Errorf("Expected user email 'user@example.com', got '%s'", claims.UserEmail)
+	if claims.SessionID != sessionID {
+		t.Errorf("Expected session ID '%s', got '%s'", sessionID, claims.SessionID)
 	}
-	if claims.ExecutionID != "exec-123" {
-		t.Errorf("Expected execution ID 'exec-123', got '%s'", claims.ExecutionID)
-	}
-	if claims.TargetService != "datadog" {
-		t.Errorf("Expected target service 'datadog', got '%s'", claims.TargetService)
-	}
-	if len(claims.AllowedPaths) != 2 {
-		t.Errorf("Expected 2 allowed paths, got %d", len(claims.AllowedPaths))
+
+	if claims.IssuedAt.IsZero() {
+		t.Error("Expected IssuedAt to be set")
 	}
-	if claims.MaxRequests != 1000 {
-		t.Errorf("Expected max requests 1000, got %d", claims.MaxRequests)
+
+	if time.Since(claims.IssuedAt) > 1*time.Second {
+		t.Errorf("Expected IssuedAt to be recent, got %v", claims.IssuedAt)
 	}
 }
 
@@ -56,13 +47,7 @@ func TestTokenExpiration(t *testing.T) {
 	generator := NewGenerator(signingKey, ttl)
 	validator := NewValidator(signingKey, ttl)
 
-	token, err := generator.Generate(
-		"user@example.com",
-		"exec-123",
-		"datadog",
-		nil,
-		0,
-	)
+	token, err := generator.Generate("sess_abc123")
 	if err != nil {
 		t.Fatalf("Failed to generate token: %v", err)
 	}
@@ -84,13 +69,7 @@ func TestTokenWithDifferentSigningKey(t *testing.T) {
 	generator := NewGenerator(signingKey1, ttl)
 	validator := NewValidator(signingKey2, ttl)
 
-	token, err := generator.Generate(
-		"user@example.com",
-		"exec-123",
-		"datadog",
-		nil,
-		0,
-	)
+	token, err := generator.Generate("sess_abc123")
 	if err != nil {
 		t.Fatalf("Failed to generate token: %v", err)
 	}
@@ -101,58 +80,14 @@ func TestTokenWithDifferentSigningKey(t *testing.T) {
 	}
 }
 
-func TestGenerateWithMissingFields(t *testing.T) {
+func TestGenerateWithMissingSessionID(t *testing.T) {
 	signingKey := []byte("test-signing-key-that-is-at-least-32-bytes-long!!")
 	ttl := 5 * time.Minute
 	generator := NewGenerator(signingKey, ttl)
 
-	tests := []struct {
-		name          string
-		userEmail     string
-		executionID   string
-		targetService string
-		expectError   bool
-	}{
-		{
-			name:          "missing user email",
-			userEmail:     "",
-			executionID:   "exec-123",
-			targetService: "datadog",
-			expectError:   true,
-		},
-		{
-			name:          "missing execution ID",
-			userEmail:     "user@example.com",
-			executionID:   "",
-			targetService: "datadog",
-			expectError:   true,
-		},
-		{
-			name:          "missing target service",
-			userEmail:     "user@example.com",
-			executionID:   "exec-123",
-			targetService: "",
-			expectError:   true,
-		},
-		{
-			name:          "all fields present",
-			userEmail:     "user@example.com",
-			executionID:   "exec-123",
-			targetService: "datadog",
-			expectError:   false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			_, err := generator.Generate(tt.userEmail, tt.executionID, tt.targetService, nil, 0)
-			if tt.expectError && err == nil {
-				t.Error("Expected error but got none")
-			}
-			if !tt.expectError && err != nil {
-				t.Errorf("Expected no error but got: %v", err)
-			}
-		})
+	_, err := generator.Generate("")
+	if err == nil {
+		t.Error("Expected error when session ID is empty")
 	}
 }
 
@@ -177,35 +112,3 @@ func TestValidateMalformedToken(t *testing.T) {
 		t.Error("Expected validation to fail for malformed token")
 	}
 }
-
-func TestTokenWithOptionalFields(t *testing.T) {
-	signingKey := []byte("test-signing-key-that-is-at-least-32-bytes-long!!")
-	ttl := 5 * time.Minute
-
-	generator := NewGenerator(signingKey, ttl)
-	validator := NewValidator(signingKey, ttl)
-
-	// Generate token without optional fields
-	token, err := generator.Generate(
-		"user@example.com",
-		"exec-123",
-		"datadog",
-		nil, // No allowed paths
-		0,   // No max requests
-	)
-	if err != nil {
-		t.Fatalf("Failed to generate token: %v", err)
-	}
-
-	claims, err := validator.Validate(token)
-	if err != nil {
-		t.Fatalf("Failed to validate token: %v", err)
-	}
-
-	if claims.AllowedPaths != nil {
-		t.Errorf("Expected nil allowed paths, got %v", claims.AllowedPaths)
-	}
-	if claims.MaxRequests != 0 {
-		t.Errorf("Expected 0 max requests, got %d", claims.MaxRequests)
-	}
-}

internal/proxy/path_matcher_test.go

@@ -135,7 +135,7 @@ func TestPathMatcherMultiplePatterns(t *testing.T) {
 func TestPathMatcherNoPatterns(t *testing.T) {
 	pm := NewPathMatcher([]string{})
 
-	// Empty patterns should allow everything
+	// Empty patterns should deny everything (fail-closed)
 	tests := []string{
 		"/api/v1/metrics",
 		"/api/v2/logs",
@@ -145,8 +145,8 @@ func TestPathMatcherNoPatterns(t *testing.T) {
 
 	for _, path := range tests {
 		t.Run(path, func(t *testing.T) {
-			if !pm.IsAllowed(path) {
-				t.Errorf("IsAllowed(%s) = false, want true (empty patterns should allow all)", path)
+			if pm.IsAllowed(path) {
+				t.Errorf("IsAllowed(%s) = true, want false (empty patterns should deny all - fail-closed)", path)
 			}
 		})
 	}